Skip to Main Content
Professional Ruby on Rails™
book

Professional Ruby on Rails™

by Noel Rappin
February 2008
Intermediate to advanced content levelIntermediate to advanced
479 pages
14h
English
Wrox
Content preview from Professional Ruby on Rails™

3.4. Storing Encrypted Passwords

Storing user passwords in the database as clear text is a security risk, because anybody who had access to your database would instantly be able to steal any user's login. And although that's not necessarily a big deal on this little recipe site, in general allowing people's passwords to leak is A Bad Thing. Among the many advantages of encrypting passwords in the database is that not even you can get to the password data, which is a nice thing to be able to say to your users.

If you aren't familiar with encryption and passwords, then the inclusion of a user data attribute called salt probably raised an eyebrow. I know that this is a recipe site but actually including salt in the user database seems a bit ... literal.

You are going to use one of Rails built-in cryptographic modules to create a hash from the user password. Although the hash uniquely matches one specific password, it's computationally impossible (or at least computationally infeasible) to recreate the original password. By saving the hash instead of the password, you can still use the hash to validate against the original password, but a malicious miscreant who got a hold of the hash would not be able to recreate the password to perform a fake login.

Salt is a cryptographic term for a random or semi-random sequence that is input to a cryptographic algorithm along with the message to be encrypted. In this case, each user will have his or her own unique salt sequence, and you will ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Ruby on Rails® Bible

Ruby on Rails® Bible

Timothy Fisher
Rails 4 in Action

Rails 4 in Action

Yehuda Katz, Rebecca Skinner, Stephen Klabnik, Ryan Bigg

Publisher Resources

ISBN: 9780470223888Purchase book